DashboardSign In


Terminology and concepts used in the WorkOS documentation.


An access token represents the successful authorization of your application to access a user’s profile. During the Single Sign-On authorization flow, you’ll receive an access token and profile in exchange for your authorization code.

An Assertion Consumer Service URL (ACS URL) is an endpoint where an identity provider posts SAML responses.

A unique identifier used to authenticate your API requests.

Attribute mapping allows IT administrators to customize the user claims that are sent to your application. WorkOS normalizes these claims, so you can depend on a reliable, expected set of user profile information.

An authorization code is a temporary code that you will exchange for an access token. During the Single Sign-On authorization flow, you’ll exchange your authorization Code for an access token and profile.

An authentication challenge, also known as challenge-response authentication, is a set of protocols that helps validate actions and protect resources from unauthorized access.

An authentication factor is a category of credential that is intended to verify, sometimes in combination with other factors, that an entity requesting access to some system is who, or what, they are declared to be.

An authorization URL is the location your user will be directed to for authentication.


A Bearer Token is an HTTP authentication scheme that uses a single security token to act as the authentication of an API request. The client must send this token in the Authorization header when making requests to protected resources.

In the context of a Directory Sync integration, a Bearer Token is generated by WorkOS for SCIM providers such as Okta to authenticate endpoint requests.


The client ID is a public identifier for your application that maps to a specific WorkOS environment.

The client secret is a value only known to your application and an OAuth identity provider. Currently, client secrets are used in OpenID Connect and Google/Microsoft OAuth connections.

A connection is a way for a group of users (typically in a single organization) to sign in to your application.

A directory connection is a way to retrieve a complete list of users and groups from an organization.


An OIDC discovery endpoint is a URL that provides metadata about an OIDC provider, including the issuer URL, supported authentication and token endpoints, supported scopes, public keys for signature verification, and other configuration information.

The discovery endpoint path is /.well-known/openid-configuration on a URL.

Clients can use this endpoint to dynamically discover and interact with an OIDC provider without requiring manual configuration.

A directory group is a collection of users within an organization who have been provisioned with access to your application.

A directory provider is the source of truth for your enterprise client’s user and group lists.

A directory user is a person or entity within an organization who has been provisioned access to your application.


An endpoint is a location where an API receives requests about a specific resource.

In the context of a Directory Sync integration, an endpoint is the standardized SCIM definition of two things: a /Users endpoint and a /Groups endpoint.


A Human Resources Information System (HRIS) is software designed to maintain, manage, and process detailed employee information and human resources-related policies.


An Identity Provider (IdP) is the source of truth for your enterprise client’s user database and authentication. Sometimes referred when describing the IdP-initiated flow, which is an authentication flow that starts from an identity provider like Okta instead of your application.

An Identity Provider URI (Entity ID) is a globally unique name for an identity provider that performs SAML authentication assertions. Sometimes referred to as Identity Provider Issuer (Okta, Entra ID).

An Identity Provider SSO URL (IdP SSO) is the URL your application’s users will be redirected to for authentication with an identity provider. Sometimes referred to as Identity Provider SAML 2.0 Endpoint (OneLogin).

An Identity Provider Metadata (IdP Metadata) is the URL or XML file containing all of the metadata relevant to a specific identity provider. It includes attributes used by a service provider to route SAML messages, which minimizes the possibility of a rogue identity provider orchestrating a man-in-the-middle attack.


Just-in-time (JIT) user provisioning creates a user in an app when the user attempts to sign in for the first time. The account and respective role doesn’t exist until the user creates it – just-in-time.

JSON Web Tokens are an open, industry standard method for representing claims securely between two parties.


OAuth 2.0 is an open standard for authorization. WorkOS supports OAuth 2.0, and our Single Sign-On API is modeled after concepts found in OAuth.

OpenID Connect (OIDC) is an open standard and identity layer built on top of the OAuth 2.0 framework.


A redirect URI is a required, allowlisted callback URL. The redirect URI indicates the location to return an authorized user to after an authorization code is granted, and the authentication process is complete.


Security Assertion Markup Language (SAML) is an open standard for authentication. Most of your enterprise clients will require SAML 2.0 authentication for their single sign-on.

System for Cross-domain Identity Management (SCIM) is an open standard for managing automated user and group provisioning. It’s a standard that many directory providers interface with.

Service Provider (SP) is SAML parlance for “your application”. Sometimes referred when describing the SP-initiated flow, which is an authentication flow that starts from your application instead of an identity provider like Okta.

Service Provider Metadata (SP Metadata) is an XML file containing all of the metadata relevant to a specific service provider. Identity providers will use SP metadata files to make onboarding your application easier.


Time-based One-time Password (TOTP) is a temporary code, generated by an algorithm that uses the current time as a source of uniqueness.


An X.509 Certificate is a public key certificate used to authenticate SAML assertions. Sometimes referred to as Token Signature (AD FS).